问题描述

我正在使用Spring 4开发REST API.我想使用Spring Security来保护某些端点，但是根据我所读的内容，可以使用@EnableGlobalMethodSecurity或@EnableWebSecurity来完成此操作.不幸的是，我为这些工具找到的文档没有清楚地说明它们的作用(或它们之间的比较).如果我想基于标准关系数据库中声明的数据和关系通过身份验证和授权来保护Spring REST API，那么在Spring 4中推荐的方法是什么?

I am developing a REST API using Spring 4. I would like to secure some of the endpoints using Spring Security, but based on what I've read this can be done with either @EnableGlobalMethodSecurity or @EnableWebSecurity. Unfortunately, the documentation that I have found for these don't clearly explain what they do (or how they compare). If I want to secure a Spring REST API with authentication and authorization based on data and relationships declared in a standard relational database, what is the recommended method for achieving this in Spring 4?

推荐答案

EnableWebSecurity将通过 HttpSecurity 提供您可以在xml配置中使用<http></http>标记找到的配置，它允许您根据url模式，身份验证端点，处理程序等...

EnableWebSecurity will provide configuration via HttpSecurity providing the configuration you could find with <http></http> tag in xml configuration, it's allow you to configure your access based on urls patterns, the authentication endpoints, handlers etc...

EnableGlobalMethodSecurity提供方法的AOP安全性，它将启用的一些注释是PreAuthorize PostAuthorize，并且它对 JSR-250 . 配置中还有更多参数可用于你

EnableGlobalMethodSecurity provides AOP security on methods, some of annotation it will enable are PreAuthorize PostAuthorize also it has support for JSR-250. There is also more parameters in configuration for you

为满足您的需求，最好将两者结合在一起.借助REST，您可以仅使用@EnableWebSecurity来实现所需的一切，因为HttpSecurity#antMatchers(HttpMethod,String...)接受对Http方法的控制

For your needs, it's better mix the two. With REST you can achieve all you need only with @EnableWebSecurity, since HttpSecurity#antMatchers(HttpMethod,String...) accepts controls over Http methods

这篇关于@EnableGlobalMethodSecurity与@EnableWebSecurity的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！